b'OFFICE OF INSPECTOR GENERAL \n\n\nAUDIT OF THE MILLENNIUM\nCHALLENGE CORPORATION\'S\nFISCAL YEAR 2013\nCOMPLIANCE WITH THE\nFEDERAL INFORMATION\nSECURITY MANAGEMENT ACT\nOF 2002\n\nAUDIT REPORT NO. M-000-13-005-P\nSEPTEMBER 20,2013\n\nWASHINGTON, D.C.\n\x0cThis is a summary of our report on the "Audit of the Millennium Challenge Corporation\'s Fiscal\nYear 2013 Compliance With the Federal Information Security Management Act of 2002." The\nOffice of Inspector General (OIG) contracted the independent certified public accounting firm of\nCliftonLarsonAlien LLP to conduct the audit in accordance with generally accepted government\nauditing standards.\n\nThe objective of the audit was to determine whether the Millennium Challenge Corporation\n(MCC) implemented selected minimum security controls for selected information systems to meet\nthe Federal Information Security Management Act of 2002 (FISMA) requirements to reduce the risk\nof data tampering, unauthorized access to and disclosure of sensitive information, and disruption to\nMCC\'s operations.\n\nTo answer the audit objective, Clifton assessed whether MCC implemented selected\nmanagement, technical, and operational controls outlined in National Institute of Standards and\nTechnology (NIST) Special Publication 800-53, Recommended Security Controls for Federal\nInformation Systems and Organizations, Revision 3. Clifton performed audit fieldwork at MCC\'s\nheadquarters in Washington, D.C., from March 28,2013, to July 11, 2013.\n\nThe audit concluded that MCC implemented 116 of 141 selected security controls for selected\ninformation systems in support of FISMA. For example, MCC complied with the following NIST\nrequirements:\n\n\xe2\x80\xa2 \t Categorized its information systems and the information processed, stored, or transmitted in\n    accordance with federal guidelines, and designated senior-level officials within the\n    organization to review and approve the security categorizations.\n\n\xe2\x80\xa2 \t Implemented an effective incident handling and response program.\n\n\xe2\x80\xa2 \t Maintained an adequate and effective specialized training program for employees who\n    needed role-based training.\n\n\xe2\x80\xa2 \t Implemented an effective identification and authentication program.\n\n\xe2\x80\xa2 \t Implemented an effective system maintenance program.\n\nAlthough MCC generally h;:td policies for its information security program, its implementation of\nthose policies was not fully effective to preserve the confidentiality, integrity, and availability of\nthe Agency\'s information and information systems, potentially exposing them to unauthorized\naccess, use, disclosure, disruption, modification, or destruction.\n\nTo address the weaknesses reported in Clifton\'s report, OIG made 15 recommendations to\nMCC\'s management. Four of them asked MCC to reopen recommendations made in the\nprevious year\'s audit. Although OIG acknowledged MCC management decisions on each of the\n15 recommendations, it did not agree with MCC\'s management decisions for 2. Therefore, OIG\nencouraged MCC to revisit its management decisions for those recommendations and revise\nthem to fully address the weaknesses identified in Clifton\'s audit report.\n\x0cu.s. Agency for International Development \n\n       Office of Inspector General \n\n      1300 Pennsylvania Avenue, NW \n\n          Washington, DC 20523 \n\n            Tel: 202-712-1150 \n\n            Fax: 202-216-3047 \n\n           http://oig.usaid.gov \n\n\x0c'